Cookie Consent and Analytics in the Netherlands: What Dutch Website Owners Need to Know in 2026

715,000 Dutch websites use Google Analytics. The Autoriteit Persoonsgegevens monitors 10,000 of them a year for cookie compliance and explicitly says GA does not qualify for the Dutch analytics exemption. Yet the AP's only enforcement action against Google Analytics was a reprimand against Takeaway.com that was never made public. For a country with 99% internet penetration and one of Europe's strictest cookie laws, the gap between what the rules say and what actually happens is worth understanding.

The Dutch privacy paradox

More European internet traffic flows through Amsterdam than through any other city. AMS-IX, the Amsterdam Internet Exchange, handles over 14 Tbps at peak. The Netherlands has 99% internet penetration, tied with Denmark, Norway, and Switzerland for the highest in Europe. It is home to Startpage (the world's most private search engine) and Bits of Freedom (one of Europe's oldest digital rights organizations).

It also has one of Europe's strictest cookie laws, one of its most active privacy regulators, and a deeply rooted cultural commitment to data protection that goes back decades.

The Netherlands enacted data protection legislation in 1989, nearly a decade before most European peers. In 1995, the Dutch Data Protection Authority and the Netherlands Organisation for Applied Scientific Research (TNO) co-authored the foundational paper on Privacy Enhancing Technologies with Ontario's Information and Privacy Commissioner. That work became the basis for Privacy by Design, later codified as GDPR Article 25. The roots of this privacy culture run deep: the wartime abuse of the Dutch population registry left a lasting mark on how the country thinks about state and corporate data collection.

In 2018, five university students organized a national referendum against the Intelligence and Security Services Act (known as "de Sleepwet," the Dragnet Law), which granted Dutch intelligence services bulk surveillance powers. 49.44% voted against. The government passed the law anyway, with modifications.

The country that routes more European internet traffic than any other also has some of the strictest rules about what you can track on it.

The Autoriteit Persoonsgegevens: 300+ staff and a leadership transition

The Autoriteit Persoonsgegevens (AP) is the Dutch Data Protection Authority. It has over 300 staff, a 2026 budget of EUR 53.5 million, and offices in The Hague. Chair Aleid Wolfsen has led the AP since 2016. His second term ends in August 2026, and a vacancy for his replacement was posted in February.

Wolfsen's AP does not hesitate. It fined Uber EUR 290 million in July 2024 for transferring European drivers' sensitive data to the US without adequate safeguards, one of the largest single GDPR fines ever issued. It fined Clearview AI EUR 30.5 million for building an illegal facial recognition database, and investigated whether Clearview's directors could be held personally liable. It processed nearly 40,000 data breach notifications and over 7,500 citizen complaints in 2024.

Cookie enforcement has become a specific focus. The AP built an automated scanning system that structurally monitors 10,000 Dutch websites for cookie compliance. The Dutch government allocated EUR 500,000 per year specifically for cookie enforcement, with a permanent increase to EUR 350,000/year from 2027. In April 2025, the AP warned 50 organizations (online retailers, media companies, insurers) about misleading cookie banners. By late 2025, three-quarters of the 200+ warned websites had adjusted their banners. Those that refused face formal investigation.

The AP's 2026-2028 strategic priorities explicitly reclassify online tracking as a form of "mass surveillance." The stated position: people should be able to move freely online without being constantly tracked or observed. This is a regulator that treats your cookie banner the same way it treats a CCTV camera.

Wolfsen's departure in August 2026 is the most significant variable. His successor could maintain the current enforcement posture, or adjust it. Either way, the infrastructure is in place: automated scanning, dedicated budget, and a 500-organization-per-year warning pipeline.

The Telecommunicatiewet: the cookie law that predates the GDPR

Cookie consent in the Netherlands is governed by Article 11.7a of the Telecommunicatiewet (Telecommunications Act), the Dutch implementation of the EU ePrivacy Directive. This is the actual cookie law. Most Dutch website owners have heard of the AVG (the Dutch name for the GDPR). Far fewer know about the Telecommunicatiewet. But Article 11.7a is what determines whether you can set a cookie in the first place.

Explicit consent is required for all non-essential cookies. The Netherlands amended Article 11.7a in 2015 to require explicit, affirmative consent. No implied consent from browser settings. No consent inferred from continued browsing. The user must take a clear affirmative action before any non-essential cookie fires.

Cookie walls are banned. The 2015 amendment clarified that consent must be "freely given," and the AP has consistently interpreted this as prohibiting cookie walls. If you block access to your website unless visitors accept tracking cookies, the consent is not freely given and therefore invalid. The Netherlands was among the first EU countries to take this position, years before GDPR Article 7(4) and Recital 42 reinforced the same principle at the EU level.

Two exemptions exist. A cookie is exempt if it is: (a) strictly necessary for transmitting a communication over a network, or (b) strictly necessary for providing a service the user explicitly requested. Session management, shopping carts, authentication, CSRF tokens, language preferences.

Consent must meet the GDPR standard. Since 2015, Dutch cookie consent must be freely given, specific, informed, and an unambiguous indication by clear affirmative action. Reject must be as easy as Accept. Pre-ticked boxes are invalid. No dark patterns, no deceptive colour contrast, no hiding the reject option behind multiple clicks.

The Telecommunicatiewet and the AVG are enforced by the same authority: the AP. This was not always the case. Cookie enforcement originally sat with the ACM (Authority for Consumers & Markets), but was transferred to the AP, consolidating privacy enforcement under one roof.

The Dutch analytics exemption

This is where the Netherlands diverges from most EU countries. While the Telecommunicatiewet does not explicitly exempt analytics cookies in its statutory text, the AP has adopted a pragmatic interpretation that allows certain analytics cookies without consent.

The conditions are strict. An analytics cookie qualifies for the exemption only if it meets all of the following:

1. First-party only. The cookie is set by the website itself, not by a third-party domain.
2. IP addresses are anonymized or masked.
3. No cross-site tracking. The cookie does not track visitors across different websites.
4. Data is not shared with third parties for their own purposes.
5. Minimal privacy impact. The data is used solely to measure website performance and quality.

The exemption is generous by European standards. France's CNIL initially required consent even for audience measurement cookies before softening its position in 2020. Germany only clarified its approach after the TTDSG took effect in December 2021. The Dutch exemption has been in place since 2015.

But the exemption only applies to cookie-based tools that genuinely meet all five conditions. Clickport sidesteps the entire framework. No cookies means the Telecommunicatiewet's consent requirement for device access does not apply. The analytics exemption becomes irrelevant because there is nothing to exempt.

Google Analytics in the Netherlands: reprimand, not a ban

Unlike Austria (December 2021), France (February 2022), and Italy (June 2022), the AP never banned Google Analytics.

The AP was part of the EDPB Task Force 101, set up in September 2020 to coordinate a consistent response to the 101 identical complaints noyb filed across EEA data protection authorities. While Austria, France, Italy, Denmark, and Finland issued formal decisions declaring GA unlawful, the Netherlands took a different path.

On 20 August 2024, the AP issued a formal reprimand against Takeaway.com Group B.V. for violating GDPR Article 44 by transferring personal data to the US via Google Analytics between August 2020 and September 2023 without valid legal mechanisms. No fine. The reprimand was not made public under the AP's standard disclosure policy. It only came to light through a Freedom of Information request.

In November 2025, the AP confirmed in an official advisory to the Dutch parliament that its investigation resulted only in this reprimand, that no separate published decision exists, and that a total ban on Google Analytics is not planned.

Three critical details:

The reprimand concerned Universal Analytics only. The AP explicitly stated it has not conducted any investigation into GA4. The violation period ended in September 2023, when Google implemented the EU-US Data Privacy Framework.

The remaining compliance obligation is cookie consent. The data transfer issue is resolved by the DPF. But GA4 still requires a cookie (_ga) to function. Under the Telecommunicatiewet, that cookie needs explicit consent before it fires. The AP's analytics exemption does not apply to GA4 because Google uses analytics data for its own purposes.

715,000 Dutch websites still use Google Analytics. According to BuiltWith, GA remains the dominant analytics platform in the Netherlands. The Dutch government is an exception: it announced in December 2025 that it would stop using Google Analytics on werkenvoornederland.nl (the government job vacancy site), after it emerged GA was running on pages where applicants applied to intelligence services.

Notable enforcement actions

The AP has enforced across a broad range of industries. The cookie-specific cases set the clearest precedent for website owners.

A.S. Watson / Kruidvat: EUR 600,000 (July 2024). Tracking cookies were placed on Kruidvat.nl without valid consent. Cookie consent checkboxes were pre-ticked. Visitors who wanted to refuse had to navigate multiple steps. The AP singled out that the tracked pages included personal health product categories, making the privacy impact more severe. The investigation started in late 2019. The violation was resolved in October 2020, but the fine still came.

Coolblue: EUR 40,000 (January 2024, upheld on appeal December 2024). Coolblue automatically assumed visitor consent with pre-checked cookie boxes. This was the first cookie case the AP carried through the full administrative enforcement process. The fine was small. The precedent was not.

Uber: EUR 290 million (July 2024). European drivers' personal data, including location data, taxi licenses, photos, payment information, identity documents, and criminal and medical records, was transferred to the US without adequate safeguards for over two years. This was Uber's third AP fine (after EUR 600,000 in 2018 and EUR 10 million in December 2023).

Clearview AI: EUR 30.5 million (September 2024). Illegal collection of billions of facial images for a facial recognition database, including Dutch citizens. An additional EUR 5.1 million penalty for continued non-compliance.

Dutch courts have reinforced the AP's cookie enforcement. In Criteo v. Privacy Protection Foundation (late 2023), the Amsterdam District Court ruled that ad tech company Criteo violated GDPR by placing tracking cookies without consent on 39 of 40 websites tested. Criteo was held jointly responsible with its publisher partners for ensuring valid consent. In June 2024, the court prohibited LinkedIn, Microsoft, and Xandr from placing tracking cookies without user consent.

The principle: companies that place cookies through third-party websites are joint controllers. They cannot outsource consent responsibility to publishers.

What's coming in 2026 and beyond

Three developments will shape Dutch cookie law over the next two years.

Wolfsen's replacement (August 2026). The AP chair vacancy was posted in February 2026. The VVD party called for Wolfsen's replacement back in 2023, arguing his approach was too rigid. His successor will inherit a regulator with automated scanning infrastructure, dedicated cookie enforcement funding, and a three-year strategic plan that treats online tracking as surveillance. The enforcement machinery runs regardless of who sits in the chair. But tone and priorities can shift.

The Digital Omnibus (proposed November 2025). The European Commission's Digital Omnibus package proposes moving cookie rules from the ePrivacy Directive into the GDPR itself. A new Article 88a would create an EU-wide exemption for audience measurement cookies, similar to the Dutch analytics exemption that already exists. The Netherlands has raised serious concerns about the proposal, supporting simplification but rejecting changes that weaken protections. The EDPB's Joint Opinion (February 2026) called for strict limits on the audience measurement exemption. Legal analyses by Taylor Wessing and Osborne Clarke conclude it is too narrow to cover cross-site analytics tools like Google Analytics. Earliest practical impact: 2028.

AP 2026 priorities: online tracking as mass surveillance. The AP's 2026-2028 strategic focus has three pillars: mass surveillance, artificial intelligence, and digital resilience. Online tracking and cookie profiling are explicitly categorized under "mass surveillance" alongside camera surveillance and law enforcement practices. The AP plans to warn 500 organizations per year about cookie violations and continue structural monitoring of 10,000 websites. This is not slowing down.

What this means for your website

If you run a website targeting Dutch visitors, here is the practical picture.

The rules are clear. Non-essential cookies require explicit consent. Cookie walls are banned. Reject must be as easy as Accept. Pre-ticked boxes are invalid. The AP scans 10,000 websites a year and has dedicated funding to enforce.

The analytics exemption is narrow. First-party, IP-anonymized, no cross-site tracking, no data sharing. Google Analytics does not qualify. A correctly configured first-party cookie tool might. Cookieless analytics do not need the exemption because there is nothing to exempt.

Three out of four Dutch visitors reject or ignore cookie banners. The Netherlands has an estimated 23.4% cookie acceptance rate. Combined with approximately 20% ad blocker usage, cookie-based analytics miss a significant share of your Dutch traffic.

Not sure where your site stands? Run it through our free GDPR compliance checker for a quick audit.

The simplest path to compliance in the Netherlands is to remove the thing that triggers the Telecommunicatiewet in the first place. No cookies means no consent requirement, no cookie banner, no cookie wall concerns, no analytics exemption conditions to meet, and no risk of being one of the 500 organizations the AP warns this year.

Clickport is cookieless, tracks no personal data, and stores everything on European servers. No consent banner needed. Every visitor counted. Start your free 30-day trial. No credit card required.

For the full EU-wide picture on Google Analytics legality, see our overview of all DPA rulings. For how cookieless analytics work without consent, see our cookie-banner-free analytics guide. For what the Digital Omnibus changes across the EU, see our Digital Omnibus explainer.

Frequently asked questions

Is Google Analytics legal in the Netherlands?

Google Analytics is not banned in the Netherlands. The AP issued a private reprimand against Takeaway.com for Universal Analytics data transfers, but has never investigated GA4 and has stated that a ban is not planned. However, GA4 requires a cookie, and the AP explicitly says GA does not qualify for the Dutch analytics exemption. You need valid cookie consent before firing GA4 on a Dutch website.

What is the Dutch analytics cookie exemption?

The AP allows certain first-party analytics cookies without consent if they meet five conditions: first-party only, IP addresses anonymized, no cross-site tracking, data not shared with third parties, and used solely for aggregate website performance measurement. A first-party cookie tool configured correctly can qualify. Google Analytics does not because data is shared with Google for its own purposes.

Are cookie walls allowed in the Netherlands?

No. The 2015 amendment to the Telecommunicatiewet requires consent to be "freely given," and the AP has consistently interpreted this as prohibiting cookie walls. Blocking access to your website unless visitors accept tracking cookies means consent is not freely given and is therefore invalid. The Netherlands was among the first EU countries to take this position. The GDPR later reinforced it at the EU level through Article 7(4) and Recital 42.

What fines has the AP issued for cookie violations?

The AP fined A.S. Watson (Kruidvat) EUR 600,000 in July 2024 for placing tracking cookies on health product pages without valid consent, and Coolblue EUR 40,000 in January 2024 for pre-ticked cookie consent boxes. The AP has also warned over 200 websites about misleading cookie banners and plans to warn 500 organizations per year.

Do I need a cookie banner for analytics in the Netherlands?

If your analytics tool sets cookies, yes. The Telecommunicatiewet requires explicit consent for all non-essential cookies, including analytics cookies that do not qualify for the AP's first-party analytics exemption. If your analytics tool is cookieless and does not access anything on the visitor's device, the Telecommunicatiewet's consent requirement does not apply, and no cookie banner is needed for analytics.

How does the AP monitor cookie compliance?

The AP runs an automated scanning system that monitors 10,000 Dutch websites annually for cookie compliance. It checks whether cookies fire before consent, whether reject buttons are equally prominent, and whether cookie banners use dark patterns. The Dutch government provides dedicated funding (EUR 500,000/year) for this program. Organizations that fail receive warning letters with a three-month compliance window before formal investigation.

Will the Digital Omnibus change Dutch cookie rules?

The EU Digital Omnibus (proposed November 2025) would create an EU-wide analytics cookie exemption similar to what the Netherlands already has. The Netherlands has raised concerns about the proposal. The EDPB flagged that the exemption is too narrow to cover tools like Google Analytics. Earliest practical impact is 2028. Until then, the Telecommunicatiewet remains the governing law.